Analysis
-
max time kernel
136s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 06:48
Behavioral task
behavioral1
Sample
ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe
Resource
win7-20240705-en
General
-
Target
ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe
-
Size
1.3MB
-
MD5
bfa7e58897f5d9f4f1f7be28c98aa768
-
SHA1
62e09cb7194008106755301f73a892aa3e99000c
-
SHA256
ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb
-
SHA512
e8bcc9510544a1d7268107fec4643caca1a16dc10b23587a458e867d565dd2abf61ab0b48a4a61d29a97aa225cff58e30a25e9228cc636e197d414344ebc0038
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQt+4En+bcMAOVMId03vDM5CZe0PZ0:E5aIwC+Agr6StVEnmcK9dFCfW
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
resource yara_rule behavioral1/files/0x00090000000173e1-20.dat family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral1/memory/1752-15-0x0000000000500000-0x0000000000529000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
pid Process 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 2968 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 2304 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe -
Loads dropped DLL 2 IoCs
pid Process 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 704 sc.exe 1924 sc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 1732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1732 powershell.exe Token: SeTcbPrivilege 2968 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe Token: SeTcbPrivilege 2304 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 2968 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 2304 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2272 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 29 PID 1752 wrote to memory of 2272 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 29 PID 1752 wrote to memory of 2272 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 29 PID 1752 wrote to memory of 2272 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 29 PID 1752 wrote to memory of 2432 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 30 PID 1752 wrote to memory of 2432 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 30 PID 1752 wrote to memory of 2432 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 30 PID 1752 wrote to memory of 2432 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 30 PID 1752 wrote to memory of 1928 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 32 PID 1752 wrote to memory of 1928 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 32 PID 1752 wrote to memory of 1928 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 32 PID 1752 wrote to memory of 1928 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 32 PID 1752 wrote to memory of 2248 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 35 PID 1752 wrote to memory of 2248 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 35 PID 1752 wrote to memory of 2248 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 35 PID 1752 wrote to memory of 2248 1752 ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe 35 PID 2432 wrote to memory of 1924 2432 cmd.exe 36 PID 2432 wrote to memory of 1924 2432 cmd.exe 36 PID 2432 wrote to memory of 1924 2432 cmd.exe 36 PID 2432 wrote to memory of 1924 2432 cmd.exe 36 PID 1928 wrote to memory of 1732 1928 cmd.exe 38 PID 1928 wrote to memory of 1732 1928 cmd.exe 38 PID 1928 wrote to memory of 1732 1928 cmd.exe 38 PID 1928 wrote to memory of 1732 1928 cmd.exe 38 PID 2272 wrote to memory of 704 2272 cmd.exe 37 PID 2272 wrote to memory of 704 2272 cmd.exe 37 PID 2272 wrote to memory of 704 2272 cmd.exe 37 PID 2272 wrote to memory of 704 2272 cmd.exe 37 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 2248 wrote to memory of 2620 2248 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 39 PID 912 wrote to memory of 2968 912 taskeng.exe 41 PID 912 wrote to memory of 2968 912 taskeng.exe 41 PID 912 wrote to memory of 2968 912 taskeng.exe 41 PID 912 wrote to memory of 2968 912 taskeng.exe 41 PID 2968 wrote to memory of 2764 2968 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 42 PID 2968 wrote to memory of 2764 2968 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 42 PID 2968 wrote to memory of 2764 2968 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 42 PID 2968 wrote to memory of 2764 2968 ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe"C:\Users\Admin\AppData\Local\Temp\ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:704
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:1924
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exeC:\Users\Admin\AppData\Roaming\WinSocket\ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2620
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0B6BBE39-DC44-4086-989A-C6D1555426FF} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Roaming\WinSocket\ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exeC:\Users\Admin\AppData\Roaming\WinSocket\ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2764
-
-
-
C:\Users\Admin\AppData\Roaming\WinSocket\ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exeC:\Users\Admin\AppData\Roaming\WinSocket\ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2304 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\WinSocket\ec94acb3d9efe0799bf76b94990393e9cf7d94760626b070d88ec7e8e0fb21eb.exe
Filesize1.3MB
MD5bfa7e58897f5d9f4f1f7be28c98aa768
SHA162e09cb7194008106755301f73a892aa3e99000c
SHA256ec94acb3d9efe0688bf65b94880383e9cf6d94650525b060d77ec6e7e0fb21eb
SHA512e8bcc9510544a1d7268107fec4643caca1a16dc10b23587a458e867d565dd2abf61ab0b48a4a61d29a97aa225cff58e30a25e9228cc636e197d414344ebc0038